Archive for HIPAA News

Anyone who has a Blue Cross Blue Shield (BCBS) health insurance plan, with a few exceptions, should have free identity protection services as of January 1, 2016.

The national Blue Cross Blue Shield Association (BCBSA) announced July 14 that it would offer these free services as a permanent benefit to more than 106 million customers at all Blue companies nationwide.

This is the latest step in the health insurance giant’s efforts to protect customer safety and security in a world where cyber-attacks are a constant threat to every business and government entity. BCBS companies have, consequently, taken aggressive steps to protect their customers and lead the healthcare industry in cybersecurity, according to a press statement.

Deven McGraw, a well-known health data privacy expert and federal legal advisor, just joined the HHS Office for Civil Rights on June 29. She takes over as deputy director of health information privacy and will head up the agency’s HIPAA policy and enforcement efforts.

OCR announced the appointment earlier in June. McGraw comes to OCR from Manatt, Phelps & Phillips, LLP, where she was a partner and co-chair of the law firm’s privacy and data security practice. The firm has offices in California, New York, Washington, D.C., and Mexico.

A new healthcare bill aimed at accelerating the development of new clinical drugs and innovative treatments would allow federal regulators to relax portions of HIPAA privacy laws in the name of research, as well as penalize electronic health record vendors that fail to comply with standards for interoperability and safe information exchange. The proposed bill also allows penalties for vendors who engage in information blocking.

The 21st Century Cures Act was co-authored by U.S. Reps. Fred Upton (R-Mich.) and Diana DeGette (D-Colo.), who began work on the bill more than a year ago. They, along with three other co-sponsors, unveiled a draft of the bill April 30, which was then amended and presented to the House Committee on Energy and Commerce’s Subcommittee on Health. It passed by voice vote.

Among other things, the bill would allow HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.

In the wake of the cyberattack that exposed the PHI of nearly 80 million current and former Anthem, Inc., subscribers, the health insurer is refusing to comply with requests for a security audit by the Office of Personnel Management’s (OPM) Inspector General, according to HealthData Management.

Anthem participates in the Federal Employees Health Benefits Program. The program provides health benefits to civilian government employees and annuitants in the U.S. The OPM oversees this program and conducts vulnerability scans and configuration compliance audits of participants’ computer servers. Anthem refused the audit as it is against its corporate policy, HealthData Management reported.

In 2013, the OPM Office of the Inspector General attempted to audit Anthem but the insurer implemented restrictions that prevented auditors from adequately testing the security of Anthem systems. The final 2013 report on Anthem (known as Wellpoint, Inc., at the time) states that the agency was unable to attest that the insurer’s servers were secure.

Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.

“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”

Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.

Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.

“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”